From df153885773295c755762017b709e0b4a306f8d1 Mon Sep 17 00:00:00 2001 From: jonjozwiak Date: Fri, 22 May 2020 17:05:02 -0500 Subject: [PATCH] Adding insecure SSL checks for CloudFront and CLB/ALB (cherry picked from commit c9a60c07a2b5497cbed2d70c53821d826171dd68) --- checks/check_extra791 | 33 ++++++++++++++ checks/check_extra792 | 104 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+) create mode 100644 checks/check_extra791 create mode 100644 checks/check_extra792 diff --git a/checks/check_extra791 b/checks/check_extra791 new file mode 100644 index 00000000..70df9743 --- /dev/null +++ b/checks/check_extra791 @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra791="7.91" +CHECK_TITLE_extra791="[extra791] Check if CloudFront distributions are using deprecated SSL protocols" +CHECK_SCORED_extra791="NOT_SCORED" +CHECK_TYPE_extra791="EXTRA" +CHECK_ALTERNATE_check791="extra791" + +extra791(){ + LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) + if [[ $LIST_OF_DISTRIBUTIONS ]];then + for dist in $LIST_OF_DISTRIBUTIONS; do + CHECK_ORIGINSSLPROTOCOL_STATUS=$($AWSCLI cloudfront get-distribution --id $dist --query Distribution.DistributionConfig.Origins.Items[].CustomOriginConfig.OriginSslProtocols.Items $PROFILE_OPT --output text) + if [[ $CHECK_ORIGINSSLPROTOCOL_STATUS == *"SSLv2"* ]] || [[ $CHECK_ORIGINSSLPROTOCOL_STATUS == *"SSLv3"* ]]; then + textFail "CloudFront distribution $dist is using a deprecated SSL protocol!" "$regx" + else + textPass "CloudFront distribution $dist is not using a deprecated SSL protocol" "$regx" + fi + done + else + textInfo "No CloudFront distributions found" "$regx" + fi +} diff --git a/checks/check_extra792 b/checks/check_extra792 new file mode 100644 index 00000000..ace02882 --- /dev/null +++ b/checks/check_extra792 @@ -0,0 +1,104 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra792="7.87" +CHECK_TITLE_extra792="[extra792] Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra792="NOT_SCORED" +CHECK_TYPE_extra792="EXTRA" +CHECK_ALTERNATE_check792="extra792" + +extra792(){ + # "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)" + for regx in $REGIONS; do + LIST_OF_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[*].LoadBalancerName' --output text|xargs -n1) + LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn' --output text|xargs -n1) + if [[ $LIST_OF_ELBS || $LIST_OF_ELBSV2 ]]; then + if [[ $LIST_OF_ELBS ]]; then + # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html#ssl-ciphers + # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html + ELBSECUREPOLICIES=("ELBSecurityPolicy-2016-08" "ELBSecurityPolicy-TLS-1-2-2017-01" "ELBSecurityPolicy-TLS-1-1-2017-01") + ELBSECURECIPHERS=("Protocol-TLSv1.2" "Protocol-TLSv1.1" "Protocol-TLSv1" "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256" "ECDHE-ECDSA-AES128-SHA256" "ECDHE-RSA-AES128-SHA256" "ECDHE-ECDSA-AES128-SHA" "ECDHE-RSA-AES128-SHA" "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384" "ECDHE-ECDSA-AES256-SHA384" "ECDHE-RSA-AES256-SHA384" "ECDHE-RSA-AES256-SHA" "ECDHE-ECDSA-AES256-SHA" "AES128-GCM-SHA256" "AES128-SHA256" "AES128-SHA" "AES256-GCM-SHA384" "AES256-SHA256" "AES256-SHA" "Server-Defined-Cipher-Order") + + for elb in $LIST_OF_ELBS; do + ELB_POLICIES=$($AWSCLI elb describe-load-balancers --load-balancer-name $elb --query "LoadBalancerDescriptions[0].ListenerDescriptions[*].PolicyNames" --output text) + passed=true + for policy in $ELB_POLICIES; do + # Check for secure default policy + REFPOLICY=$($AWSCLI elb describe-load-balancer-policies $PROFILE_OPT --region $regx --load-balancer-name $elb --policy-name $policy --query "PolicyDescriptions[0].PolicyAttributeDescriptions[?(AttributeName == 'Reference-Security-Policy')].AttributeValue" --output text) + if [[ -n "$REFPOLICY" ]]; then + if array_contains ELBSECUREPOLICIES "$REFPOLICY"; then + continue # Passed for this listener/policy + else + passed=false + fi + else + # A custom policy is in use. Check Ciphers + CIPHERS=$($AWSCLI elb describe-load-balancer-policies $PROFILE_OPT --region $regx --load-balancer-name $elb --policy-name $policy --query "PolicyDescriptions[0].PolicyAttributeDescriptions[?(AttributeValue == 'true')].AttributeName" --output text) + for cipher in $CIPHERS; do + if array_contains ELBSECURECIPHERS "$cipher"; then + continue + else + passed=false + fi + done + fi + done + + if $passed; then + textPass "$regx: $elb has no insecure SSL ciphers" "$regx" + else + textFail "$regx: $elb has insecure SSL ciphers" "$regx" + fi + done + fi + if [[ $LIST_OF_ELBSV2 ]]; then + # NOTE - ALBs do NOT support custom security policies + # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html + ELBV2SECUREPOLICIES=("ELBSecurityPolicy-2016-08" "ELBSecurityPolicy-TLS-1-1-2017-01" "ELBSecurityPolicy-TLS-1-2-2017-01" "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" "ELBSecurityPolicy-FS-2018-06" "ELBSecurityPolicy-FS-1-1-2019-08" "ELBSecurityPolicy-FS-1-2-2019-08" "ELBSecurityPolicy-FS-1-2-Res-2019-08" "ELBSecurityPolicy-2015-05") + for elbarn in $LIST_OF_ELBSV2; do + passed=true + elbname=$(echo $elbarn | awk -F 'loadbalancer/app/' '{print $2}' | awk -F '/' '{print $1}') + ELBV2_SSL_POLICIES=$($AWSCLI elbv2 describe-listeners $PROFILE_OPT --region $regx --load-balancer-arn $elbarn --query 'Listeners[*].SslPolicy' --output text) + + for policy in $ELBV2_SSL_POLICIES; do + if array_contains ELBV2SECUREPOLICIES "$policy"; then + continue # Passed for this listener/policy + else + passed=false + fi + done + + if $passed; then + textPass "$regx: $elbname has no insecure SSL ciphers" "$regx" + else + textFail "$regx: $elbname has insecure SSL ciphers" "$regx" + fi + done + fi + else + textInfo "$regx: No ELBs found" "$regx" + fi + done +} + +array_contains () { + local array="$1[@]" + local seeking=$2 + local in=1 + for element in "${!array}"; do + if [[ $element == "$seeking" ]]; then + in=0 + break + fi + done + return $in +}